“We submitted the wrong SAQ. Now what?”

April 23, 2014 • Published Categories PCI 101 Tags , , ,

Question: Are there any self-disclosure requirements based on inaccurate SAQ submissions? For example, if the incorrect SAQ was completed, what steps should be taken to complete the correct SAQ and how long would a company have to resubmit?

Answer: This would all come down to what the enforcing organization is asking for.  There are no defined disclosure requirements around filling out the wrong SAQ.

When an organization realizes the wrong SAQ has been used to validate compliance, the correct SAQ should be reviewed, completed and submitted.  The timeframe around the completion and submission would again be left up to the enforcing organization (acquiring bank/merchant service provider/independent sales organization).

Leave a Comment